Great project, a lot of APs themselves support VLAN segregation using RADIUS, has SPR ever considered the scenario where it might be ideal if it were just the router and it controls APs (and even switches) that way?
SPR supports receiving VLAN tagged packets over a wired LAN interface today.
Soon we are planning to support an OpenWRT package that will allow people to link up into SPR from lots of APs, provided the AP card supports AP/VLAN mode which is critical for the segmentation.
We have no plan to work more closely with managing RADIUS right now, enterprise wifi authentication is difficult to deploy securely without client-side certificates for authentication. So that makes it less appealing due to our goal of supporting any kind of wifi capable device.
Lastly, SPR does have an upsell feature where we support leaf node APs running SPR that have backhaul into a primary instance.
Yeah I already do some combination of MPSK and MAC-based Security on Aruba AP-555 and AP-655 at home with a couple hundred IOT devices, OPNsense and FreeRADIUS. I segment by (vendor, device model) instead of /30 per individual device but that’s more setup convenience than anything (it’d be possible to uniquely dot1q every device, too).
I think SPR looks neat, it’s a more well-packaged version of essentially what I already do (albeit in a kludgey way), hence the curiosity about ambition.
Yes, this is part of the story of how SPR achieves this.
So the hostapd configuration for SPR has the following components:
- ap_isolate=1
- per_sta_vif=1
- unique passphrases for devices
- firewall rules
ap_isolate stops the AP from doing L2 forwarding between clients using the pairwise keys. the per_sta_vif=1 will also ensure that each client has a unique GTK so they can't use group key encryption to communicate without the AP.
Next, unique passphrases are used. Without this, it's possible for a malicious device to decrypt WPA2 traffic passively or spin up a Rogue AP to capture traffic from peers.
And lastly -- firewall rules with default deny connect devices by policy.
That ap_isolate alone is not enough is kind of interesting, as it's possible to instead push packets to the router that will then forward to the client destination. Most off the shelf routers have forwarding on without a default deny policy, enabling this. The subtlety here is the attacker uses the router as the L2 destination instead of the other wireless client. At the very least attackers can send UDP packets to bypass the intended isolation. This bypass is especially powerful when changing mediums between Wireless and Wired as the Wired victim receiving packets will be responding back to the router, and on many consumer routers a full TCP connection will be possible then.
Soon we are planning to support an OpenWRT package that will allow people to link up into SPR from lots of APs, provided the AP card supports AP/VLAN mode which is critical for the segmentation.
We have no plan to work more closely with managing RADIUS right now, enterprise wifi authentication is difficult to deploy securely without client-side certificates for authentication. So that makes it less appealing due to our goal of supporting any kind of wifi capable device.
Lastly, SPR does have an upsell feature where we support leaf node APs running SPR that have backhaul into a primary instance.